Posted
by
timothy
on Wednesday May 05, 2004 @04:30AM
from the thanks-for-using-windows dept.

jonman_d writes "The Sasserworm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Moreover, it raises questions of responsibility: if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"

if the virus writer is the "terrorist" then the coast guard admin is the idiot who ignored the "we're coming to bomb $building at $time on $day in a $colour van with registration $reg" message.

Don't forget the 'oh, and please leave the gate open or we'll have to go somewhere else'.

Yes, it is partially Microsoft to blame as well - which twit thought it would be a good idea to have ports open by default with services listening to whatever crap other computers might send? You really have to trust your programming to allow something like that. If it's not actually necessary, why do it?

I still don't buy the "Microsoft is responsible" talk, sure their software is buggy, but so is many other software. I've seen Linux and other Unix systems rooted, yet nobody starts claiming "It's all Linus' fault" etc.

Okay, so the Free Software folk invariably have patches out within hours of an exploit being discovered, but this hole has already been patched too.

The onus is on the virus writers (and Script Kiddies etc) who write malicious code and to some degree on people not maintaining their systems.

Not locking your front door doesn't give you the right to blame the door-making companies when you get burgled. You can still blame the burglars, but you're out of luck if you claim insurance since it's your own fault.

It's different if there aren't any patches, and I'm well aware that Microsoft have their problems and need to be more secure, but I still stand by my judgement that they can't be held responsible for every virus outbreak that happens!

There is little comparison between unlocked doors and computer worms. If my nieghbor doesn't lock his door and gets robbed, this probably doesn't mean that the robbers will now use my neighbor's house as a place from which to launch a robbery of my house. However, on the net, when someone leaves an unsecured, hacked system running, their computer increases the risks for everyone else because, whether they know it or not, they are helping the virus writers breed their nasty little piece of software.

Whether or not my neighbor is to blame for having been robbed (which I don't believe he is), the point is: if my neighbor's computer is hacked and starts to attack mine, that's when we start to have a heightened sense of his responsibility in the matter.

Not locking your front door doesn't give you the right to blame the door-making companies when you get burgled.

What if the door company advertised their doors in a way that led you to believe that the door was locked when a design flaw meant it wasn't? And when the design flaw was pointed out to them, they mentioned it with a free fix on their website, but did nothing else? And a hundred thousand people were all robbed on the same night? In meatspace, people would be screaming for blood. I think the a

You have a bus, except the bus has unlocked windows, but all the seats have safety belts. There's a driver at the front of the bus with a credit card, but all the passengers are holding tickets. Made of paper. Then it rains. Meanwhile there's a guy on the street corner trying to sell chickens, who gets on the bus. Except the bus is full. So he opens one of the windows, and his bag, which has chickens in it (remember, he sells chickens) falls off his shoulder because he wasn't using a strong enough strap. Meanwhile because the window's open, rain starts getting into the bus, making several of the passengers, and their tickets, wet. As a result, that makes the writing on them illegable and they get thrown off the bus, because the bus driver thinks they're going to Basingstoke when they're actually going to Boston, MA, which is where the bus goes. What the guy selling the chickens doesn't know is that the people who get thrown off the bus end up with the chickens.

Yup, it comes down to everyone. It's easy to say "MS sucks, look at this proof" but the fact is MANY systems are vulnerable to malicious intent and the free solutions escape much of this attention simply because fewer people seem to be - for now - writing exploits.

A solution to this problem has been around for weeks now, yet one or more of these system were left unpatched. So yeah, the virus writer surely bears some responsibility, but then again so does the coast guard. And even if an MS OS did not exist at all and these folks had been running linux, if there were a similar exploit floating around in the wild would the admins who left this door open have fared any better then?

You can't hold MS responsible for the incompetence of the coast guard admins. Yeah, their software had an exploit - but they also had a solution available and it's not like this was any kind of secret. I hate to be this trite, but it's appropo here to remind everyone what "mama" always said: stupid is as stupid does...

This sounds like the argument "Well, our tires do tend to blow-out at high speeds but why should we be held responsible? The EULA which comes with our tires specifically says that we are not liable for any damages and you agreed to our EULA by using our tires."

As another poster in this thread so proudly pointed out, there have been seven exploits for Apache in the wild. Is this accurate? I don't keep track of such numbers, but I'll point out that if true this points out exactly what I said: fewer exploits, fewer attacks.

MS has a "windows update" feature. It doesn't take a genius to enable it. Now, granted this feature can cause headaches if you have a large number of systems to update, but you can also perform similar processes under your own control (if you are an admin) and yet this wasn't done. Turn off all those ports? It doesn't take a genius to download the shavlik lockdown tool linked to by MS itself that will "audit" your system and close any unused ports. It also doesn't take a genius to click to e-eye for an external audit.

There are so many ways to fix these systems it's nuts. Yeah, they require a tiny bit of effort - one would think that's why the British taxpayers pay these administrator's salaries.

I'm no shill. I run both windows and linux, although I've been using windows a LOT longer and am, therefore, more able to exploit it. So are a lot of people, which makes it that much more vulnerable. And yet my own linux firewall was hacked one time because... tada... I was running a version of Smoothwall, didn't know the distro or what I was doing, and in the setup config the SSL port was left open and the service running and no explanation was made of the significance of this. As a result my "firewall" was owned within days, zone alarm disabled on one of my (unpatched) windows boxen, and (in short) the entire network became owned. I migrated to IPCOP then reloaded and patched the windows box, just a little wiser and smarter.

Just as so many here are fond of saying "slashdot doesn't have just one mind" I'll remind others who are dumping on MS over this there have been and are plenty of linux distros, and not all of them uniformly secure or stable "out of the box."

Holding the software maker responsible for something like this is as stupid as holding the coca-cola company responsible when some idiot pulls one of their vending machines over onto himself. Would you be so quick to call for heads on a stake if this were a network of Redhat boxes? How about a few dozen Suse desktops? It doesn't matter what OS you are using, problems like this almost always come down to one thing: PEBKAC.

Well, the reason that a Windows admin is more busy with such stuff is twofold:- More bugs- Have to keep fixing things that are not being used at all, but that can't just be uninstalled/disabled.

For example, on my (FreeBSD in this case) Open Source OS based server, I can simply ignore patches for web browsers, mail clients, and generally any gui based program since they are not installed or at least not functioning, and definitely not listenign to the outside world without me havign set it up that way very explicitly.

I do have to watch a very specific shortlist of products that need to be kept uptodate, and I'll get a message on my phone in case a critical bug in one of those products is published in any of the known ways.

Having this shortlist of products (FreeBSD core, openssl, openssh, Apache, PHP) makes it very managable, and in the end I don't have to update things that often.

It would also really help a lot if MS patches didn't break so much and so often. I can remember virtually every case where a FreeBSD patch managed to messup my system over the last 8 years, and the last one goes back to the 3.x era some years ago. It seldom happens, and its in fact so exceptional that I can run the risk of it happening on my production servers. The risk and consequences are waaay smaller then the much more likely breakins that would result if I dont apply the patches.

At any rate, it doesn't take much time, and it is very clear what I have to watch and patch to keep secure. That is one of the main problems with Windows, even when you are a competant admin, you have so many things to watch, and keep discovering new things all the time.

Yes, I do believe that MS can be blamed for that problem. Such a system is not suitable for anything other then connecting to an isolated and trusted local area network. THe fact that windows uses IP for many LAN orriented services makes the problem a lot worse.

I wasn't meaning to imply that MS shouldn't be blamed for the problem. Just trying to point out that even with a good patching solution, even the best ones will fail if the system admin doesn't apply them.

MS should bear the blunt of the blame. For as much revenue that is generated by their products you would expect them to have a better product by investing into it. By no means though is MS the sole bearer of the blame. The organization that chooses to use the OS and the administrators that don't keep up with the OS maintenance also share some of this responsibility.

"but also some responsibility on the retards who didn't get a secure system - MS is officially unsuitable for this sort of thing."

Hmmm

How about any unpatched operating system is officially unsuitable for this sort of thing.

Yes blame can and should be placed on MS for the design and security features of their software however a large portion of blame should go to the individuals and organisations that do not regularly update their systems.

The problem with patching Windows systems is that a responsible admin will not simply roll out the patches across all the systems. Microsoft is very good at giving you two problems for the price of fixing one so a lot of Windows admins do extensive testing of patches before applying them across all their systems. In another situation, I would give them the benefit of the doubt and say they were hit while testing the patch.

However, this isn't another situation and, if their machines had been properly firewalled (can someone please explain to me why any ports other than those for servers running in a DMZ should be visible over the net, because I'll be damned if I can think of any) they wouldn't have been infected. Hell, if they had zonealarm running on all the boxes they'd be safe even if they don't have a decent firewalls between their LANs and the net.

Yes, Microsoft isn't without blame (maybe if they made patches that didn't crap all over your machines life would be better) but in this case sloppy admins have struck again.

I think it would be a lot better for companies to persue options that would help prevent these kinds of things, not a short term asskicking to some scriptkiddy, when you know thousands more are willing to jump into his shoes for some "internet notoriety" or other BS.

You see, I disagree. I see this another way: If this were a car company, security would be an issue that wouldn't even be feigned with interest from the court system.

Operating systems are designed to be just that...an operating system. No matter how secure they make it, there will be some dirty virus writer out there that shatters that security. Now, I think it is good business practice for software companies to protect the best that they can against hackers, scripts, viruses, etc. However, that really isn't the business they are in... security. The deplorable human state has forced them into this position, but I pose the question: is it fair?

I mean, back to your car reference: If you drove through a bad neighborhood and a guy runs out, beats your window in with a baseball bat, and steals your backback, is the car company responsible for not making unbreakable windows? (pun intended) This would probably be laughed out of court, so I don't see how we can really blame the Operating System companies for a lack of security when all they are selling is an operating system.

Now, again, I think that they should secure it to the best of their ability... and that some of the security holes I have seen are ridiculous. And, if they tout complete security as a feature, then they are taking on that part of the business.But, and correct me if I am wrong, I don't think most companies advertise 100% security anymore for this very reason. Because that is just a pipedream.

If someone breaks into my house, I am not suing the person who built my house. I am buying a security system (firewall) and using it. However, I assume that this isn't 100% effective, either.

I completely agree. If some moron breaks a window, you don't blame the windowmaker.

Sadly, though, people still insist upon hounding the easy target. Look at the plight of the tobacco companies. I smoked for ten years, and let me tell you: I never met a smoker who did not know that smoking was bad for them, even potentially fatal. Unfortunately, once they've succumbed to the big C, their survivinng heirs go nuts and sue everyone remotely connected with their deaths.

This is true in aviation, too...half the price of a new plane just covers the manufacturer's liability insurance. Surviving heirs seem to insist upon driving another nail into their dead spouses' favorite hobby whenever the poor slob augers in.

How the gun companies have managed to, ahem, dodge the bullet in this regard so long is beyond me.

Anyway, I think it's obvious that you cannot have a completely secure OS unless you bury it in a box somewhere and don't let it talk to anybody. Fat lot of good it would do anyone then.

String the little vandals up, they deserve it. I think most of these little punks do it for the power trip, anyway (Dude, we shut down the Eastern Seaboard power grid, huh, huh). Let them have a little taste of the responsibility that comes with power.

Maybe we could lock them in a little room with a bunch of REAL worms...

And, if they tout complete security as a feature, then they are taking on that part of the business.

"Amid increasingly frequent and sophisticated network attacks, users expect their systems to remain resilient, and for system and data confidentiality, integrity, and availability to be maintained. (...)As a leader in the computing industry, Microsoft carries a substantial responsibility."

If someone breaks into my house, I am not suing the person who built my house.

Even if the lock and indeed the whole of the front door is pathetic, has known vulnerabilities and the maker still touts it as secure with the well-known chairman of the company that built the house (door, lock and all) having announced a big push for increased security almost two years ago? How is the buyer of that house supposed to know that his front door is made of a material that looks like steel and feels like steel but offer about as much protection from burglars as Aerogel?

Why is that the Operating System companies responsibility, though? When does the act of booting a machine and writing a document imply security? An operating system, in the beginning, likely did not have security in mind at all. It was crimminal behavior that forced them, at the cry of the market, to start securing the system. However, how much responsibility is it of the OS company to provide security against crimminal behavior when that isn't a part of their business model? Why not leave that respons

It's not so simple as 'microsoft is accessory to manslaughter' though. I'm sure the Microsoft EULA says it's not for use in safety-critical applications. People need to "vote with their feet" and switch to other products if they want secure systems, then MS may address the problem.

Actually, there'd probably be people pointing fingers at everyone else. Was the problem with the gun, or the bullet? Maybe the problem was caused because you didn't keep the gun in proper care. Maybe the gun was old and out of date.

if the gun exploded in someones hand then that would be a result of a defect, and something that is not caused by a malicious user. Slam Microsoft all you want, nothing wrong with that, but realize this specific incident would not have happened with out a malicious user.

The analogy is still wrong.

Say a gun manufacturer manufactures a gun that will work for most people most of the time, and failures only involve reloading, no actual damages. This same gun, through poor engineering, has a weakness in the barrel that can only be affected by a certain type of ammunition. The manufacturer doesn't consider this important because nobody manufactures that type of ammunition, it's worthless ammo.

So someone handcrafts the ammunition that will exploit the flaw, sneaks into your house and loads your gun with it, then escapes without leaving any trace other than the ammo in the gun.

Now the gun blows up in your hand. Who's at fault?

Even stretched to the limits as the analogy is, there's one primary difference between this analogy and the actual topic. For guns there aren't thousands of individuals building ammunition specifically designed to ruin the guns and possibly hurt the people firing them. For computers, there are. If this were to happen for real with a gun manufacturer, the manufacturer would be acquitted of all charges, because he had a reasonable expectation that what became an engineering flaw through exploit would not ever be a problem. Not so with the OS producer. They have a reasonable expectation that their OS will be attacked, and the more market share they have, the more this expectation resembles waiting for the sun to rise, i.e. you *know* it'll happen.

The OS producer must bear some responsibility for it, for the same reason a car manufacturer must bear some responsibility for injuries sustained in a car accident due to safety systems not well-engineered. Even then, we tend to forgive the car manufacturer, because accidents aren't supposed to happen, and there's usually some idiot at fault.

I'm all for pointing at Windows and saying it sucks any day of the week, but I'm not so sanguine to blame microsoft for the script kiddie that wrote the virus. It's grey area, there. And let's not forget that our beloved GPL disclaims all warranties as well...

In the UK at least the police would have quite a list of things to charge the virus writer with. The coastguard and microsoft might also have liabilities.

As with most of the EU you cannot disclaim liability for death and some forms of injury, whatever you write on the license. (Nowdays "Not verified for use in safety critical systems" seems to have become an accepted way of ensuring the liability lands on the user though).

Considering the car analogy

You can be liable if you make a car with dodgybrakes (unsuitable product, forseeable that it will cause an accident)You can be liable if you knowingly drive a car with bad brakes (because its forseeable that this will cause an accident)and you are most definitely going to get into trouble if you empty a bucket of oil over the road surface (aka writing the worm)

... are a LOT more responsible about their products as a rule then almost any industry, perhaps airplanes might be the closest, they always recall and repair or replace defective products, and go to some lengths to get the word out to the owners, and it goes beyond 90 days, and beyond the original owner on any defects. I know because I worked in a firearms warranty repair center before and been an enthusiast since I was about as tall as a.22 rifle. It's years and years in some cases with warranties. Many now come with a default "forever" warranty. In fact, they have some of the best warranties and repair/recall efforts in any industry. We would be *lucky* if all products had as good a warranty. Like name a major manufactured mechanical product that comes with a lifetime warranty now. Washing machine? Automobile? Bicycle? Hard drives? Radio? Anything? There might be but I can't think of any off the top of my head, but firearms are treated that way in a lot of cases now, and even in other cases where the warranties expire, recalls are still done if a defect is found.

The big problem is software got a compoletely 100% "free ride" in the beginning, it was allowed to be sold with zero warranties, I guess to get the business off the ground or something. Or maybe... I dunno, can't think of a good reason really. They just slap got away with something no other industry has as far as I know. You can't sell a 1 cent stick of gum without it having actual and implied warranty to it.

This deal was way back when it first really took off (I really need to research this now,it's gonna bug me why they got such a sweet deal), now it's been decades. DECADES. Untold hundreds of billions of dollars in pure profits. Huge numbers of wealthy people and businesses involved with it. It's "mature" now. Time to insist on "profitable" software to have warranties, and hold the manufacturers liable for obvious defects. They have "Get out of any Responsibility" EULAs, but still "enjoy" full ME ME ME IT'S ALL MINE MY PRECIOUSSSS protection "under law" for "Intellectual Property" and make tons of cash, well, that is teh obvious suck now and ayone can see that.

It's one or the other, if the software makers want to treat electronic digits as some sort of extremely valuable commodity product, with PATENTS on it even, which they sell at a very, very good profit, they need some sort of a minimum consumer warranty applied to them, or strip them of their profitability, one or the other. Enough's ENOUGH on the free ride they get. The software industry is "mature" enough to treat those business people as normal adults, same as anyone else in any other industry.

We NEED a class action suit in general against free ride EULAs across the board for for-profit software, and it needs to go to the supreme court and be won.

I am surprised as all get out with all the other litigation that goes on in our society that a set of profitable businesses who have gotten hosed over and over and over again by these obvious defects haven't challenged those EULAs as being absurd and illegal in the first place. Name another industry that would dare to put out such a "contract" for consumers and have it accepted. It's quite absurd, they'd be laughed at, but "software" is now the biggest example of legal "conware" there is.

And YEP, I could care less if it meant that "releases" slowed to a crawl, wouldn't bother me one bit or byte. Consumers want quality, few if any defects, they just been faked out that crapware is "good enough" and the industry as a whole has all colluded to profit off of crap and conware. It's just plain stupid, and ethically wrong. We can see now that software is so "embedded" in our society that you can't really say now that "no one is effected" when defects show up. it can get downright dangerous, and it certainly costs consumers tons of cash to keep fix and repaired stuff that shouldn't be shipped broken in the first place. We need less patches, and more "it don't need to be patched" software

I agree that it isn't appropriate, but we in the U.S. have seen the application of the DMCA extend beyond its original intentions to be used to prosecute anyone who violates not only copy protection, but basically any sort of protection scheme. The DMCA has grown beyond simple copyright legislation, unfortunately, and that is why I suggested it.

I don't believe that it should be used in such as way, but if it is used to go after the "good" guys, then why not the bad as well?

Lately, it seems, the DMCA is trying to become the all-encompasing way to prosecute anyone who peeks somewhere they "shouldn't." This wouldn't work if someone explicitly opened the virus and it infected the system. However, if the virus sat there and hammered at holes in the software until it wormed its way in, then I don't see why they couldn't use the DMCA against that, as well.

I wasn't really suggesting it so much as putting it out there as a thought open for discussion...

Is Microsoft Software actually certified for safety critical systems? I thought it was not warranted for that use.However, it's not just the software at fault. Whoever implemented the system was sharing a network with other people's machines in some way, without a firewall. There is fault spread out here, between microsoft, the lifegaurds IT people, and the virus writer.

My thoughts exactly. Back here in Finland a bank had to close shop in the entire country for a day because of Sasser. Instead of being worried about how they didn't update their systems I'm more worried why MS is being used on mission critical systems like banks and the coast guard.

Is Microsoft Software actually certified for safety critical systems? I thought it was not warranted for that use.

Back to the issue of using the right tool for the right job. In many situations no "Off The Shelf" ("Commercial" or otherwise) is suitable.From an engineering POV an Open Source System is more likely to be a good tool, even if you use some standard package/distribution as a starting point. Since you can then verify that it does what it should do and only what it should do. (A lot of malware involves use of unneeded "features".) Something which is very difficult with proprietary software since you need to take things of trust from the vendor and virtually impossible with something like Windows. Which in addition to being proprietary software contains deliberate "sphagetti code".

Err... Who told you that the UK coast guard is a safety critical system? Who actually told you that they do anything besides wasting public money?

All the real work is done either by RAF or by volunteer lifeboats which do not get a single penny of government money. Frankly, I find it shamefull and disgusting that a country in the big 8 wich is also an island is incapable of even financing its lifeboat crews.

So frankly, if someone will wipe off the coast guard completely noone will notice. Emergency service

Why did the the UK Coastguard allow this to happen? The Sasser worm is 100% preventable if your system is properly patched and firewalled.

If their Coastguard's mentality is anything their American counterpart's I can think of a damn good reason why this happened. *Support contracts*. Legendary documents written in stone that require that a specific agency do all maintance and repair of their PCs. Dispite the fact that the operator is more then able to click on the reccomended patches, doing so could get you into alot of trouble. Your not going to trust your military's computer system to enlisted folk, and chances are the officers are not aware of preventive measures. Those who are assign such tasks to contract companies.

Taking these matters on your self opens you up to a whole bunch of no fun, such as the military justice system. So one learns it's not their job... nothing will ever get done about it... and hope one's tour of duty is up reall soon before you go insane.

Your not going to trust your military's computer system to enlisted folk, and chances are the officers are not aware of preventive measures. Those who are assign such tasks to contract companies.

I dont speak for all military, but the Army has an entire major command dedicated to nothing but computers. Formed in 99 NETCOM has actully done a fairly good job in keeping things working. As far at threat detection, patch verification, and orders to deploy, NETCOM tends to be on a 72 hour turnaround. Given that the patch was issued April 13, its way ahead of an outbreak like Sasser. Even better, they have the authority to disconnect. The orders to patch go straight to company commanders and sysAdmins who can be repremanded if their unit goes down. Even if they give the task to a contractor, they are still liable Id hate to be the company commander who sees the brigade commander over virus outbreaks. That seems to keep them in line pretty well.

Damn straight. Somebody needs their ass kicked over this one. Hopefully nobody dies as a result.

When your systems are that important, it's madness to run them unsecured. There should be strong firewalls on the networks and virus scanners on every machine. If the virus finds a way in (say a managers laptop) there's no way it should be able to spread. And vulnerable systems (*cough* Windows *cough*) should be kept to a minimum.

I know some folks say if it's behind the firewall it's safe, but as we see again and again, that's rarely the case. It's my policy to ensure *every* machine is updated as required, and the servers and Windows machines run AV software.

out coastgaurd (for you non-UK is actually called the RNLI which stands for the Royal National Lifeboat Institution)

That's not true. The coastguard is an executive agency of the Department for Transport (DfT) [mcga.gov.uk], whereas the RNLI is a charitable organisation. It is true that a lot of the sea based rescues are performed by RNLI volunteers but a lot of the coastal emergencies are tended by the coastguard itself. Helicopter rescues for example, don't involve the RNLI.

In other words, it is the Government's responsibility to hire competent administrators.

The Coastguard is responsible for coordinating various organizations (RNLI,RAF, RN etc.) in search and rescue operations in the UK. It is a agency of the department of transport. They monitor the emergency broadcast channels for the UK and a large section of the Atlantic ocean and often further a field. Throughout the UK they have a number of rescue teams who often get involved with more than just maritime emergencies.
The RNLI as you stated is a charity, staffed almost completely by

There is a UK Coast Guard service. But this is a comparativlely small organisation which monitors radios traffic for distress calls, does traffic management on busy shipping routes and coordinates search and rescue operations.

The actual rescue is usually done by the RNLI which has boats manned by volenterr crews and is funded as a charity, or, if anything airborne is required it is supplied by the airforce, (additionally police, fire brigade etc. may be called in).

Unfortunately, there is one more option. That is the cost of maintaining windows systems. Believe it or not, there are people out ther (my self included) who dont have broadband. Please try keeping a windows install up to date over dial-up. It cant be done. Once a month I unplug my machine and take it to a friends house to update it. For people like myself (who exist in our millions) windows cannot be kept up to date, and Gates denys that we exist.
If microsoft were really taking security seriously, then all patches would be included weekly on magazine cover discs. And ISO images would be downloadable from msupdate so that we could download elsewhere. Unfortunately this is not the case and there is _NO_ good reason for it.
Cost is zero to ms.

I tried that update cd (figured if nothing else it would be useful to take to friends houses who have dialup and need patches). The cd took no less then three months to get to my house! The post mark was like 4 days before I received it so it was in proccessing for 3 months. In that time several news security patches had come out....If they can't get the CD out in a few days, it's worthless. For instance, sasser? That CD would have been useless... as I still wouldn't have it.

Oh yeah, the CD is useless as a rapid response option. The only use of it is to take off the top 200Mb of your download, hence saving you some of the dialup costs. once the CD is installed, you must get the latest stuff, hopefully just a few mb, from win update.

The real point is that no outside software can do anything bad to a Mac machine by default, because no ports are open.

If you turn a service on, then you KNOW IT IS ON, and you KNOW YOU NEED TO CHECK IT FOR SECURITY.

We're talking consumer client OSs. The vast majority of the users never turn anything on (and by default, never get a worm).

Imagine if Windows took that same philosophy...

In general, I am perfectly happy for even server machines to be shipped with only those ports open that I manually specify, or turn on myself. It's secure by default, services on demand, not unadministered services by default. The latter is insanity in today's networks.

It's not just Linux that forms a good alternative to Windows. OPenBSD was built to be a secure OS. Where lives are involved, there is good reason to go the extra mile to use an OS which, though less convenient, has proven to be more reliable. In the current era, with all these worms, Microsoft just isn't the best alternative.
On the other hand, all they needed to do was use http://windowsupdate.microsoft.com and enable Windows' built-in firewall software.
Worm and Virus writers should be made to know that they are accountable when their creations do what they were (mis)designed to do "take over systems, disable them, disrupt networks?" How do you actually catch the original author of a worm, anyway?

OK I know there's going to be a million comments about how we should all patch vulnerabilities and there'd be no problems... and then the inevitable responses from admins who haven't done so because testing hasn't been complete and the patches are causing more problems after doing them...

But...

Why aren't MS patches single discrete objects? One patch for One vulnerability? That way IMHO clears the problem of a "patch" that comes up, is huge, and attempts to fix ten documented vulnerabilities (but knowing the code used in huge projects, it's possibly many dozen fixes at once).

This kind of fine grained control is what works WELL in debian for example. To update an error in ssh, download it's patch. to update an error in an x library, update that one library. Not bundled in with loads of extra crap

I suspect this is a marketing thing. MS can truthfully say they only had 4 patches in a year, when the patches in linux systems number "in the hundreds", when the reality is far different.

Even MacOS seems to be partway to the debian like approach, where there may be a dozen security updates in a year fixing a small number of vulnerabilities each. It's a consistent line of updates, instead of happening in large steps over which an admin has no control.

In the example of the grandparent, you typeapt-get update && apt-get -u upgrade

It tells you exactly what software has updates and offers to install them. It does the rest for you. Should you want to install one at a time because of potential/expected problems with upgrading them, type apt-get install package-name.

The computer mapping system (I presume) is easier to use than the paper maps. So if someone's missing and it takes (say) an extra 5 minutes to get the map out, plot drifts and currents and say "we'll search here", and the searchplane passes overhead 4 minutes after the boat has sunk without trace... is this still safety critical? If an extra life could have been saved if you had the computer system up?

... no. To be guilty of any kind of homicide or manslaughter, your act has to have been the proximate cause [freeadvice.com] of a person's death. The writer(s) of the Sasser worm might have prevented the Coast Guard from rescuing someone in danger, but the fact that that person was in danger in the first place was not the fault of the virus writer, which would prevent even an involuntary manslaughter charge. Unless the worm caused, say, a malfuntion in the boat's bilge system, which caused the boat to take on too much water and capsize...

With that, are they off the hook? No way. If they are caught, there are lots of laws they could be charged with, some of which are felonies. Murder, or even manslaughter, are not among them, however. At least, not under this limited hypothetical.

In addition, I was fairly sure that there was a limited liability policy on software that limited damages that could be recovered from death or other injuries caused by software (this includes both the Microsoft product, since people have mentioned their potential liability, and the virus itself, if you want to extend the definition of software to viruses) to the price of the CD. In this case, since it was a virus propagating, then the price of the CD is nothing, which would limit the liability of the viru

IANAL, but:
Limited liability exists only when the software was voluntarily and knowingly installed (e.g. after reading a EULA and clicking OK). So you can expect full liabilty (both criminal and civil). In many jurisdications, if a virus directly caused a death they could be charged with murder.

The admin is guilty of negligence, again both criminal (only in the case of gross negligence, which could be failing to patch a critical system), and civil (although as an employee, this usually only means losing

Interesting. I didn't consider the not clicking on some EULA. However, wouldn't the liability still only be manslaughter. If a car directly runs over someone, but the intent was not to kill, then isn't it still manslaughter, not murder? In this case, I doubt that the virus was intended to kill. So, perhaps limited liability might not apply here. However, I have been toying with the idea of also being able to get the virus writer with the DMCA.

No, the car analogy is wrong. At least in the jusrisdictions I'm familiar with, as long as you commited a crime (virus writing/distributing) deliberatly, you commited all side effects of said crime. A more accurate analogy would be an accidental death caused by arson. At least in my jurisdiction, virus writing/distributing is a crime by itself.

If they didn't have an admin. Managment would still be potentially liable (negligence of not having a competent admin), and civil liability would not be diminished.

last negligent act that produces the injury (after the ball rolls down the hill, a stranger picks it up, throws it through a window which breaks the glass, causing the glass to shatter and strike a person who was sitting next to the window, cutting her arm and requiring her to obtain medical treatment). In this example, although you caused the ball to roll down the hill, your act is not the proximate cause of the injury to the

Working tech desk during Sasser outbreak is fun lemme tell you. God save microsoft if they actually were responsible for tech support costs during this thing.

I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.

I almost can't blame the customers for doing this. Ever try just updating windows xp over broadband? Takes forever. Now try pulling down 50 some megs of critical updates over a freaking dialup modem. Remember - not a *single* major PC manufacturer I know of installs ANY critical updates on their home pc's they sell to the end user. Nothing. Nada. Dell, HP, Compaq, etc. I've ranted about how irresponsible and stupid this is before and i'll continue to do so now:). I've had two people call recently who - literally - just bought a brand new computer from the local best buy, plugged it into the internet and with 5 minutes got either Sasser or Blaster.

I dearly, sincerly wish that Microsoft would actually build not only a real firewall into their products or/and shut off unneeded services to the internet. I also wish manufactures would actually ship their machines with all the critical updates installed. I also want a pony.

This outbreak isn't as bad as blaster was but still. I'm no MS hater, I understand their product code base is massive and keeping track of all that and bug fixes takes an enormous amount of money and time but they *seriously* need to work on security. I would estimate virus cleanup and spyware sucks up 10-15% of my time at work.

I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.

Or try this: According to Microsoft 1.5m users downloaded the cleanup tool via Windows Update. This does not include users that cleaned off their systems via a third party tool from an AV v

How hard is it to have a BSD or Linux box acting as an el-cheapo firewall between the Internet and your internal network? I have a $200 laptop which has done just that task for several years now. I can never be bothered to patch my (Windows) machines, but they never have trouble because they can only talk within each other and not get attacked from the outside. Jeez, even if you paid someone to install it, you could have the whole job done for $1000 with old hardware and a copy of FreeBSD.

I offer one reason why this doesn't happen too often, particularly in the UK. Way too many 'technical consultancies' for institutions like the coastguard are staffed by MCSEs with no proper computer science knowledge who just install Windows XP on every machine, set up 'Internet Connection Sharing', and leave. They wouldn't even dream of putting a non-Windows box on a network!

Thankfully these worms and virus attacks are showing up these idiotic 'we only touch Microsoft stuff' agencies for what they're worth. Any decent technical consultant should be able to advise companies on the right hardware and software to use, independent of vendors.. so it might be Microsoft on the client end, and UNIX on the back end.. but no, the UK (at least) is filled with MCSE ridden agencies who get totally lost when they don't have a 'Start' button to click.

How hard is it to have a BSD or Linux box acting as an el-cheapo firewall between the Internet and your internal network? I have a $200 laptop which has done just that task for several years now. I can never be bothered to patch my (Windows) machines, but they never have trouble because they can only talk within each other and not get attacked from the outside. Jeez, even if you paid someone to install it, you could have the whole job done for $1000 with old hardware and a copy of FreeBSD.

While I fully agree that the authors of virus/worms etc must be held accountable for their actions, surely there are other parties that are also liable for any issues that arrise from a virus/worm infestation.

The obvious one is the good old Microsoft. This has been beaten to death so many times that I am not going to delve into it...

The other group to consider is the people who have been infected. They have partially brought any problems upon themselves. This happens because of many things including the choice they made to run the system was vulnerable, the choice to not patch promptly (if a patch was available), the choice to not better secure their critical systems, etc.

Blaming the virus/worm authors and the author of the vulnerable software is easy (and absolutely right), but people really need to start looking beyond that and realise that it is really their decisions that are the core issue. If you don't want to be vulnerable to Windows virii/worms then don't run Windows. If you need to run Windows, secure it. If is a critical app, pay some serious attention to it...

Basically, I am advocating a bit of responsibility for ones own destiny...

Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault.
I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make -
I dont think the OS choice is relevent. Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.

Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault.

I find this propensity for blaming the victim to be very disturbing. Microsoft has been fraudulantly representing their system as both stable and secure, just as they have been fraudulantly representing their system as less expensive than their competitors' products (GNU/Linux, OS X, *BSD, etc). This is a matter of public record... one need only peruse their website and their past marketing of Windows, coupled with their slanderous misrepresentations of competitors such as Linux.

Now, one can argue that the technical staff of the coast guard should have known better (so too should every victim of every fraud perpetrated), but the fact that they didn't is hardly negligence on their part, when their vendor misrepresents their product's security on a daily basis.

I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make

I dont think the OS choice is relevent.

Clearly the data do not support this. Mac OS X is demonstrably more secure than windows, both systematically through an architectural analsys, and through historical emperical data (number of exploits, timeliness of patches, effectiveness of patches, etc.). Ditto for the various flavors of BSD, ditto for Linux, ditto for IBM's various mainframe operating systems, and the list goes on.

Clearly, as the underlying architect and definition of a system's security design, policy, and implimentation, the operating system is the single most relevant design choice one can make.

Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.

That is unrealistic. Systems which are networked together can save lives. A ship is in trouble and automatically reports its position for rescue, allowing the crew to get on with the more immediate task of not drowning. A hospital computer notes a patient's decline and automatically notifies other systems, which notify the appropriate physicians and medical staff. Proper implimentation is critical, of course, but the "cut the cable" solution is nonsensical, particularly when reasonably secure alternatives such as Linux, Mac OS X, and *BSD exist and are well proven.

The worm writer, and Microsoft's fraudulant representation of their operating system as stable and secure, are the primary culprits in this fiasco. It is time we stopped blaming their victims, and held the perpetrators responsible instead.

To be fair to the coast guard although there computer system was inoperative they did have a perfectly workable backup solution in place which they were able to use to exactly the same end result as they would have achieved using the computers.

OK so it was a worm which took down the systems this time which is something you can protect against but at the end of the day you shouldn't rely on any computer system without a manual backup process ( if it is possible to implement one ) which can take over for saf

Windows is a consumer operating system (despite labels like Windows XP Professional). It has no business being installed on any critical system. This just goes to demonstrate further that you can't cut corners and make false economies by installing consumer operating systems where they are not appropriate.

Despite the apparent Slash-Spin of this article it should be noted that Microsoft released the patch for this vulnerablity over two weeks ago, per:

MS's Security Bulletin on April 13th [microsoft.com] (this is a week before Sasser "hit".) Microsoft did their job, but can the UK Coastguard do theirs? Apparently not... It is so easy to point the finger at the provider or some anonymous joe on the Internet, but it is so hard to take responsibilty for your own lack of action. It's the UK Coastguard's job to apply their patches in a timely fashion so that the services they render can be reliably delivered.

It's possible to get these notices emailed to you as soon as they're available. These people should be fired, er wait.. in UK... sacked.

Does anyone really trust MS Updates anymore? There've been to many horror stories of Updates breaking other stuff for 100% of Windows Admins to trust Windows Update immediately.

Plus there are the basic "rules" about never installing something on a production machine until you're sure it doesn't break anything, combined with never installing anything until someone else has dicovered all of the bugs.
Put these together, and it becomes hard to risk putting patches on anym

The one consistent question that keeps being raised in my mind whenever I hear about mission critical systems being brought down by worms/viruses is:
Why were these systems ever connected to the wider world in the first place?
Mapping systems? Baggage loading computers? Surely these don't need to talk outside anything but a single discrete group of computers. My fear is that people tend to put web browsers, email clients etc on any system these days, for convenience, which is quite bad for security.
Here in my office we have two networks, with two machines on the desk (on a KVM switch), one for external email, internet etc, and one for internal work (it's called COREnet).
We've had problems with the former, but the critical, internal stuff has gone on quite happily on the latter, untroubled by worms.
Oh, and software patches and antivirus are available centrally on COREnet, so the boxes on the internal network aren't just left to chance should something come on via zipdisk/cd.
And our company rolls on....

The Sasser worm, which exploits a flaw in Microsoft's Windows software, disrupted work at the Marine and Coastguard Agency, forcing staff to use pencil and paper to find ships and locate distress calls on maps. [...]

Anyone with an infected machine should visit Microsoft's website to download a software "patch" to fix their system.

No!
Anyone with an infected machine should
stop visiting Microsoft's website
and never use Windows in such a critical environment as
the Marine and Coastguard Agency for God's sake!

The danish newspaper Ingeniøren [www.ing.dk] reports that the Sasser virus attack affected the danihs hospital, Herlev Sygehus. The hospital had to cancle scheduled CT-scannings because the scanners crashed. Also MR-scanners were affected, though no scannings were canceled.

"We do actually have a firewall, but aparently it hasn't been updated enough" sais radiographer Jan Bovin. "It was the scanners running Windows 2000 and XP that were affected, the MR-scanners running Linux had no problems," he sais.

I work in a small insurance brokers without its own internal IT department, and as token geek I get the job of patching workstations since our external IT support guys can't find their own collective arse with both hands and a map.

As soon as the last batch of updates were released - starting about half an hour after I read about the updates on/. - I patched twenty odd workstations individually, manually, over two days. (Manually, because our IT experts have set up our system in such a way that the automatic update service doesn't work.)

Which is why it's f*cking galling that I checked our server's update history this morning and there are sixteen critical updates still waiting to be loaded, because the IT guys say we don't need them and, y'know, we shouldn't worry about it.

Although I think they've denied it in public, Delta Airlines was also brought down over the weekend by this worm. I have a friend who came to Church panting, out of breath because he was late and had to rush. He works at Delta and said he had been there since Saturday patching and cleaning machines. Right after services he was going back.

The system effected was one that calculates passenger and cargo weight so it can be distribuited evenly through out the aircraft. It's one of those systems that's easy to forget. It's not like air traffic control or reservations or something people would consider "critical".

It's scary but ironic that a small forgotten local sub-system can bring down a billion dollar corporation and inconvience tens of thousands of people. It was local to Atlanta, used at the ticket counter and for flights leaving Atlanta but, bring down the hub and the entire operation is effected.

Weight and Balance is an extremely critical factor for flight safety. Even the largest airliners must have carefully controlled weight-distribution to avoid the CofG going 'out of bounds' during various stages of flight (including different trim and fuel states).

Being in the UK myself, I saw this news report on the TV yesterday with a reporter interviewing an employee of the coastguard.

I really got the impression that the reporter was trying desperately to make this into a dramatic news story whereas the coastguard person was fairly level-headed about it. Even she stated that every employee has a backup laptop that is not connected to the Internet as a contingency plan in just these circumstances. Plus, they can also rely on paper maps if necessary.

Yes, we all know Windows has security holes (just like any other piece of software) and that Microsoft could do a whole lot more to make their software more secure - however, the fact is that using good firewalling and educating users properly is the best way of stopping 99.9% of all known worms and viruses.

Microsoft must take some of the blame but so should the salesmen and IT people for possibly not deploying the right platform in the first place and then, post deployment, not ensuring it's secure.

Shouldn't there be a bit better security in an essential service such as that? Why are people allowed to bring insecure machines in, and plug them into the network? Shouldn't they have 24/7 administration? Shouldn't someone have seen a report about Sasser, and patched their machines? We're not talking about Mom & Pop ISP here, we're talking about a branch of a nations military. Why are people coming in with laptops from home, and being allowed on the same network with an essential infrastructure? Haven't their admins read any books on secure networking? What about firewalls between the essential infrastructure machines, and the compromisable network? The way the story sounds, people take their laptops home, browse the Internet, and come to work and plug in pretty much anywhere. I suppose there's more than one CCSP on staff saying "hey boss, told you so" err, maybe "Sir, remember those security recommendations I made last year? May we implement those now?"

I would have thought after MSBlaster ripped through the Windows world that people would have learned to keep Windows away from any and all open internet connections. While competent admins ought to keep their systems patched I find it difficult to understand why networks aren't properly firewalled. If you want to be cheap about it you can just have a single firewall at external connections. A little fancier set-up would be transparent packet filters to segment portions of the network from one another. Keeping everything off the network that wasn't intended to be there would nip many of these sorts of worms in the bud.

I think the bigger issue here is why systems like this, even relatively non-critical ones like the UK Coast Guard's mapping system, are running Windows. I would think that an organization like the CG would be able to get their vendors to develop applications for whatever OS they were running. Agencies set some criteria and contractors meet said criteria. If they were running say Linux I don't think it is far fetched to believe that some contractor would be able to develop the required mapping software for it. The CG might be running COTS software that runs only on Windows but I don't find that likely. I'd welcome an answer however.

Windows is known to be an extremely insecure system despite Microsoft's claims. While Service Pack 2 might magically fix all sorts of problems it is not available to end-users yet. Those magical fixes don't mean much to the here and now. It looks as if Windows' vulnerabilities are costing companies quite a bit of money and eating into their bottom line. I would have thought by now Windows would be on its way out the door in many organizations since their competition such as it is can do many of the same tasks either cheaper or more reliably.

Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13

I work for the US Army. We knew about this way before the patch came out just by monitoring bugtrack. Less than 72 hours from the bug being confirmed by our service CERT, we firewalled access to this kind of thing. The patch was confirmed for deployment almost 48 hours after the patch became available. If it was not deployed 96 hours after the order, we shut the node down until we can confirm its patched and ready to rejoin the network. The impact of Sasser on our networks? Almost ZERO.

All of our responce is coordinated by the US Army CERT (ACERT). Where did the British Coast Guard equivelent do? Is there such a thing? This is preventable, especially given the time from patch to exploit. Its not like this sprang up overnight. Even then, dont they have a team that monitors this stuff and has authority to order massive disconnet? It seems that MS is not at fault, the British CG CERT failed them here. If they did try to prevent this, what failed them? Anitvirus? Admins who failed to patch? Lack of informing them downrange?

Don't blame the script kiddies for this. They are just kids, after all..... kids are by nature explorers and experimentalists, and this is pretty much hard-coded into the human firmware.

It's like placing a coin on a railway track to see what happens to the Queen's face when a train runs over it, and ending up derailing the train..... an unfortunate consequence, not one that could reasonably have been foreseen by the "perpetrators" {all manner of crap already gets blown around railway lines, what difference does anyone suppose a coin will make?} but one that should have been taken into account by the implementors of the system. If the train makers can't be sure that a coin on the tracks won't derail their trains, then the trains are no good. What if a bird eats a berry, then shits the seed out and it lands on the track and that derails a train? Do you blame the bird? Blame the owner of the hedge the berry was growing on? Or do you blame the person who designed a train so badly that an object on the track would throw it off altogether?

This is an excellent opportunity to sow seeds of change. Open people's minds to the possibility that there might be an alternative to Windows. Ask questions. Did they know there were vulnerabilities? Well, did they not look at the source code? [the what?] The source code -- you know, the human-readable form of the code that can be examined and modified. What scrutiny did you subject the source code to? [but that's a secret!] What -- you bought a locked box that you knew you weren't going to be allowed to look inside, and you didn't get even the tiniest little bit suspicious that somebody might be trying to hide something from you?

Every piece of food you buy is clearly labelled with a list of the ingredients. {this was actually used in an anti-drug propaganda advertisement in the mid-1990s, till some bright spark suggested that surely legal drugs would be properly labelled and the problems caused by not knowing what was in pills and powders were merely a side-effect of prohibition}. The analogy between Microsoft and Tom Lehrer's Old Dope Peddler [aol.com] is a strong one. Give out free samples {educational licence discount}, get people hooked {file format lock-in}, watch the little puppets dance to your tune.

For my part, I have pledged never again to work with Windows, ever. At all. The only repair I will ever again do to a Windows box is to install Linux on it -- barring that, I will simply unplug the power cable, leave it unplugged and consider that an improvement. The time has already come when I would sooner forego a computer altogether than touch Windows.

Yesterday at my local Super Stop & Shop grocery store, all 6 of the self-checkout lanes were down, and all of the human checkout lanes were directing people to the service desk, where one poor woman was hand-imprinting who knows how many hundreds of credit card transactions per hour.

Why?

Apparently the system that reads my credit card number around four times a week for the past year has been running unpatched and unfirewalled.

can he be held at least partially responsible for any deaths that occurred during this outage?

That's an interesting point, which my college CS prof demonstrated to good effect. He asked the class one day - "How many of u expect your cars to be engineered such that they will run safely and properly 99.9% of the time?" Everbody's hand's go up. "How many of u think that if there is a life-threatening fault in the car, the engineers responsible for building it should be held accountable?" Everbody's hand goes, up, along with a few grunts of "DUH!". Then the next question: "How many of you feel that if mission-critical software, like the stuff that runs airplanes, fails, the programmers should be held accountable too?" Silence.... granted writing code ain't quite like building a car, but he got his point across. He wanted to bring home the fact that most software comes with the rider that it won't just one-day break. This applies to non-M$ as much as M$, though with a lot less frequency....

Does that mean if I leave my bicycle unchained, and a person takes advantage of the situation it's my fault? I say anyone who creates a virus solely for the destruction of private property should not only be partially responsible but fully, for all setbacks caused. The worst thing that could happen to microsoft is a case of false advertising, if they specifically said it is more secure than this. Otherwise, no one forced you to buy windows.

According to Wikipedia [wikipedia.org] Elk Cloner [wikipedia.org] was the first virus to be caught "in the wild" i.e. outside of a research lab. It ran on Apple II systems, more than likely because MS-DOS was barely capable of running programs at the time.

Also, lets keep things in context, Sasser can install and execute itself remotely without any user interaction -- there is a big difference between that and booting from a random floppy disk or logging in as root, downloading, chmod +x virus, and executing./virus.

You assume that an admin knows everything, and has infinite time on his hands.

In reality, companies have selected Windows after being told that its administration is much easier than for competing systems. Admins only need to know which buttons to click to setup a new system. In-depth knowledge about the underlying principles is often not available, with the excuse that it was supposed to be unneccessary.

In the end, it may be better to install a system that is a bit more difficult to administer, and thus avoid the administration by unqualified personnel.

Don't have any services running on any ports unless the computer owner has explicitly asked for them.

Here's a question. Suppose I buy a new computer and I want to connect it to the internet over dialup to activate my copy of Windows XP. I now have to hunt around a bunch of menus to turn on the inbuilt firewall before I can do this. Then I have to download some megabytes of patches to make it safe. At a per bit cost that's ridiculous.

Microsoft has to take part of the responsibility and offer to send consultants out for free to patch and fix the servers.

Or, even better, ship Windows with a piece of software that does that automatically? Oh, wait, they already do that...

It needs to be said again: YOUR COMPUTER IS YOUR RESPONSIBILITY! The patch for this one was available for some time (a month or so). You can't pin this one on Microsoft any more than you can blame the car manufacturer for car breakdown after you missed your scheduled service.

Isn't it about time to start introducing fines for people who propagate worms and viruses? Yes, fines for getting your machine infected. It's illegal to drive a malfunctioning car, why should it be legal to operate a malfunctioning computer? Both are a danger to the public.